Not quite. Each CSR must be

rogierboeken · ‎01-25-2016

hi

we are just finishing an upgrading from CUCM 8.6.4 and CUPS (8.6.5) and CUC 8.6 to CUCM/CUPS/CUC 10.5.(2?) and have a question about SSL certificates

we generated separate signing request for

CUCM (publisher)

tomcat

CUPS

tomcat

cup-xmmp

CUC

tomcat

for cup-xmpp we had to use a SAN signing request as it needed the domain.com name as well

so that is 4 standard SSL certificates and 1 SAN certificate, with godaddy that is still quite a bit of money

The Jabber clients (11.5) are still not 100% happy as it is also showing a SSL issue with the CUCM-subs (so we need a certificate for that one too) and there is a configuration issue as it is also asking for cups-pub (without domain name) SSL certificate

is it possible to generate 1 SAN SSL certificate for all these services,

cucm-pub.domain.com

cucm-sub.domain.com

cups-pub.domain.com (both tomcat and cup-xmmp)

cuc.domain.com

get it signed by Goddady (or other provider) and upload?

We also have 2 certificates for the edgeway core and edge (and those seem to be working fine so will leave that out of the equation for now)

Many thanks

Deepak Rawat · ‎01-25-2016

You can generate single CSR using SAN but that will only be applicable for CUCM and CUPS. For Unity Connection, you will still need to be issue a separate CSR.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051_chapter_01.html#CUCM_RF_SEC52373_00

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html

Regards

Deepak

Jonathan Schulenberg · ‎01-25-2016

Not quite. Each CSR must be separated CA-signed and installed on it's intended node with the exception of the multi-server cert now supported on CUCM 10. For the same reason you cannot use a wildcard certificate because none of the products support being given the private key.

Other than the multi-server cert your only approach is to see if a CA will allow you to regenerate (without revoking) the same cert multiple times with additional CN/SANs. I have one coworker who does this with I believe Thawte. Personally I think it's a bad idea and a bastardization of how certs are supposed to work but sometimes the only thing people care about is the cost. This approach has at least there obvious downsides: 1) if you need to revoke one cert you just did it for your entire collab infrastructure; 2) the cert has SANs for your entire solution allowing a compromised component to impersonate another or allowing an attacker to easily discover the entire solution; 3) good luck convincing TAC that a dozen SANs is supported. There are several caveats over the years about the size of a cert needing to be under specific KB in size to fit on the phone firmware. Usually this cropped up with MS CAs who would add a ton of OIDs with Microsoft-Centric stuff. Eventually you learn that coloring outside the lines of what Cisco intended/assumed is more trouble than it's worth.

All of the subscribers in the cluster need the same certs. CUCM, CUC, IM&P, etc.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

SSL certificates for CUCM, CUPS, CUC can you use SAN instead of lots of separate ones)